As if GDPR weren’t complex enough, many sports organisations are wondering whether impending Brexit will further complicate their GDPR compliance efforts. The short answer appears to be yes. Brexit will certainly add another level of complexity.

What does this mean in reality? Failure to take action will mean sporting bodies could be be transfering data across borders illegally, risking large fines and criminal prosecution as well as reputional damage. This could also impact on future funding opportunites and cause job losses.

At present, sports organisations can freely transfer personal information such as names of athletes between Northern Ireland and their Irish counterparts as both countries are EU member states. At all times when personal data leaves the EU, the information is considered to have been sent to a ‘third country’. The EU has strict legal controls imposed to ensure the safety of the data when sent to a ‘third country. The UK will become a ‘third country’ after 29th March.

In a No-Deal Scenario the UK government has advised that there will be no change to any transfers of personal data from the UK to the EU post Brexit. However, the issue becomes complicated when personal data is been received by the UK from the EU.

For example, after 29th March the NI Sports Forum is able to freely send personal data to any affiliated club or organisation in the Republic of Ireland. However, issues will arise if those Irish affiliated clubs or organisations send personal data from the Republic of Ireland to NI Sports Forum without appropriate ‘safeguards’ in place.

The same safeguard requirement for transfer of personal data must be put in place regardless if a sports organisation is based in the Republic of Ireland and has affiliated clubs in Northern Ireland. For example, if a membership body has affiliated clubs in Ulster; Munster; Leinster and Connacht. they need to consider what safeguards are in place to lawfully transfer personal data post Brexit to Northern Ireland from the clubs in Munster; Leinster; Connacht and from their Ulster clubs in Cavan, Monaghan and Donegal.

What this means in practice is that in order to comply with GDPR rules, an Irish Sporting Organisation intending to transfer personal data to the UK will need to put in place specific safeguards to protect the data in the context of its transfer and subsequent processing. This can be done in a number of different ways, depending on the circumstances in which the data is to be transferred. One such way is the use of “Standard Contractual Clauses” and this is likely to be relevant to most Irish organisations that transfer personal data to the UK. Another such safeguard that Irish sports organisations may seek to rely upon is that of explicit consent. There are alternative safeguards that can be relied upon and advice should be sought when considering what lawful basis an Irish sporting organisation has to transfer personal data to any NI Sports organisation. It is important to flag that the onus is on the Irish organisation seeking to transfer the personal data to Northern Ireland to ensure appropriate safeguards are in place.

As with most Brexit related topics the future is unclear but best practice advice is to start preparing and implementing measures for a No-Deal scenario to ensure the continuity of free flow of data post Brexit.

Alicia McCrory, Barrister

Grant funding is available for specialist GDPR advice from Briefed. Please feel free to get in touch at alicia@briefed.pro or 02890 446780

The ICO have been given an early Christmas present – come the 17th December 2018, individual directors and company officers may be held PERSONALLY liable for fines issued by the ICO. Amendments to the PECR – Privacy and Electronic Communications (EC Directive) Regulations 2003- http://www.legislation.gov.uk/uksi/2018/1189/regulation/2/made - mean that where the ICO have served a monetary penalty on the firm for a breach which was aided by the ‘consent or connivance of the officer’ or ‘neglect on the part of the officer’, the ICO can ALSO serve a monetary penalty on the officer.

Who then qualifies as officer? The amendment spells out the potentially liable individuals as ‘directors, managers, secretaries or similar officer’ of a corporate body.

Motivated by the practice of some directors to shut up shop to avoid fines and the rigour of PECR for illegal marketing activities, only to set up similar enterprises with similar practices, the empowerment of the Commissioner to target individual officers with personal liability extending up to £500,000 will bring a sharp focus on the actions of marketing companies and departments. The requirements of PECR are little-known in comparison to the GDPR, with little attention being attributed to the legislation in the furore of the build up to GDPR. Revisions of the ePrivacy regulations are awaited from Europe but this timely introduction of personal liability will put PECR firmly in the spotlight and make for very nervous marketeers!

On the 8th August 2018 the ICO published their findings following an investigation into Lifecycle Marketing (Mother and Baby) Ltd. They were given a £140,000 fine for the illegal collection and selling of personal data of more than 1 million people. Sounds very murky and sinister…wonder how they got all that data? The name doesn’t ring a bell. Scroll a little further into the content and I discover one that does..Emma’s Diary. Now that made me sit up. The ‘UK's leading baby clubs for mums-to-be, providing expert advice on every aspect of pregnancy and childcare…’ according to their website. Roll back to mid-2016 when I discovered I was pregnant and freely and gladly signed up to Emma’s Diary, the freepost hardcopy application at the back of the magazine, the online version…where else do I sign, happy to tick every box to ensure I had access to the latest information and get that free tube of sudocreme..did I read the small print? Did I check the privacy policy? Did my lawyerly instincts not kick in and tell me to check and double check? It’s a baby magazine after all…they’ll never do anything wrong? Right? Wrong.

So, they sold my name, address, date of birth of my little one, not sure what else they had.. and it ends up with the Labour Party and consequently I was potentially the recipient of a Labour Party general election publication about their campaign to support the Sure Start programme. This is no criticism of the message and the good work which said policy may deliver. Nor indeed a reflection of my political views. But I’m starting to get a little annoyed here. I do feel a personal invasion of privacy and that of my one year old. Manipulated? Conned? Unhappy? Yes. Yes. YES. Suddenly GDPR has become very personal. I feel a subject access request coming on just to clarify what they have on me and my darling daughter, who else has it and to demand it is scrubbed. Now is this just my nerdy privacy specialist curiosity kicking in or do I genuinely feel aggrieved? Probably both and honestly, more so the latter. And it got me to thinking about who really knows about or actually goes the whole way to exercising their data subject rights. In conversations over the last year and particularly in the lead up to the 25th May 2018 privacy was a hot topic with a typically mixed bag of responses. From general annoyance at a swathe of emails begging for consent to marketing information, scare mongering about what had to be done to denial from the naysayers who thought GDPR compliance was nothing more than a tick box exercise. But the fact is your customers and clients, existing or future, are aware. So, they might not be able to recite GDPR chapter and verse, but they are aware of its existence, have a general understanding of its implications and more importantly their rights. And anyone who feels their rights have been trampled on with a little digging will know exactly what they must do.

Read a little more into the judgement here the failure to clarify within the privacy notice about who they were sharing data with seems to be their undoing.

So, what now? Well I’m off to issue my subject access request and will keenly await the results (that’s one calendar month and no fee thank you very much). And then I will ask them to delete my data. Just a note..Emma’s Diary has an annual circulation of 870,000 copies. Lifecycle Marketing supplied 1,065,220 records to the marketing company that in turn supplied the Labour Party circulation lists. Now that’s a lot of SARs! Imagine those sitting in your inbox. Time to review your privacy policy, make sure it’s up to scratch and check that you have properly informed your clients about their rights and what you will do with their information before your savvy well informed customer starts flexing their data protection muscles. For more assistance on GDPR policies and training, amongst other services, get in touch with me at Briefed at Caroline@briefed.pro.

GDPR now compels organisations to self-report both to the ICO and to those individuals whose personal data has been compromised on your watch. It’s a risk assessment, a judgement call on whether your breach event is ‘likely to result in a high risk to the rights and freedoms of natural persons’ in which case, time to ‘fess up.

But before the ink is dry on your referral to the ICO, the whole world, it seems, is talking about you for the wrong reasons and commentators are busy at work holding you up as the poster boy of data breaches.

Since the implementation of GDPR on the 25th May we have seen a dizzy array of potential data breach offenders come to the publics’ attention… but remember, no one is guilty yet. Seemingly the punishment for even being in the dock may be enough. Customers and clients are quick to loosen ties, well established or otherwise. Monzos jumped out of bed with Typeform in rapid fashion ‘we have ended our contract with Typeform, at least until they can prove they've improved their security, and have deleted all customer data from their servers’. It’s all about self-preservation and that’s fair enough. You don’t want to be tainted with the whiff of data breach about you, particularly when it may have affected your own client base. With the new-found liability for processors under GDPR there’s even more reason perhaps to distance yourself from the suspected perpetrator as the ICO get into the nitty gritty of who is really going to carry the can on this one. Now where did we put that data sharing agreement??

And so, the reality is hitting home. We don’t yet know how the regulators across Europe will dish out the fines…. but perhaps the real damage comes from our obligations under GDPR to report the breach within 72 hours, before you have a chance to get to the bottom of it all. Before the ICO have time to adjudicate your customers may have gone elsewhere. When the decision is finally made, even with a clean bill of health, will they call come back, cap in hand?? The Liberal Democrats also affected by the Typeform fallout state ‘we will be re-evaluating our relationship with them in light of this incident. We take the security of our data seriously and if we are not satisfied that sufficient steps have been taken to secure your data, we will terminate our relationship with Typeform’.

So, the old adage ‘there’s no such thing as bad publicity’ is being well and truly tested. Dixons Carphone, Ticketmaster, Typeform and the like need to have the spin doctors of all spin doctors to tidy up the mess. Organisations are nervous about the risk and implications of association with others who have had a data breach and won’t necessarily wait around for the outcome of any investigation. Reassurances from on high within organisations may well quell fears…. the commercial realities, the costs of jumping ship, the operational task of bringing custom elsewhere may compel your customer to stay with you rather than going to your nearest and sometimes ’dearest’ competitor and, after all, who can you trust…it could be them next!

Managing your data breach, getting the right advice, having the disaster recovery plan in place, data-sharing agreements with a third party…recent events show just how critical it is to have expertise on hand to guide you through the storm. Whether its planning and policy or data breach management, Briefed consultants can assist you with the way forward. Contact Briefed at..Hello@briefed.pro or at 028 90446780

As organisations work through their GDPR compliance checklist, the thorny issue of who is going to be crowned Data Protection Officer arises. Whilst employees have been happy to contribute their time and skills to a GDPR reference group you may have set up, there’s relative safety in numbers. Going solo ain’t so much fun and no doubt a lot of people are trying to duck out of this particular accolade. And let’s be honest...it is a daunting task.

The appointment of a Data Protection Officer(DPO) is mandatory for certain types of organisations – processing carried out by public authorities, where the core activities of the organisation involve regular and systematic monitoring of data subjects on a large scale or processing of sensitive data including data relating to criminal matters on a large scale. The GDPR is silent on the definition of ‘large scale’ so time to do some homework to determine if you are an organisation that is required to have a DPO at the helm.

The Article 29 Working party have given a little helping hand and identified some specific examples of large scale processing which include:· processing of patient data in the regular course of business by a hospital· processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)· processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in these activities· processing of customer data in the regular course of business by an insurance company or a bank· processing of personal data for behavioural advertising by a search engine· processing of data (content, traffic, location) by telephone or internet service providers

Even where you assess that a DPO is not required under GDPR for your organisation, many are nonetheless taking this brave step and formally appointing a DPO. Where this is done on a voluntary basis and you are formally nominating someone as DPO then you will need to adhere to the requirements of the role set out in Articles 37-39 of the legislation. And there’s quite a to do list: Advising employees about data protection; monitoring compliance, internal data protection activities, raising awareness of data protection, staff training, audits, advising on data protection impact assessments, co-operation with the ICO, management of breaches, point of contact for all data subjects and so on…oh and the DPO must be registered with the ICO. The guidance also steers you away from appointing head of Legal, IT, HR as the DPO to ensure independence of the role.

Another option is to nominate someone as a Data Protection Lead(DPL)…essentially a DPO in all but name who doesn’t need to be formally registered with the ICO. Whilst they are not tasked with same regulatory must do’s, again, the same issues arise. Less a question of work life balance but work work balance. Allocating the time to sufficiently manage data protection on top of a busy schedule, whether as a DPO or DPL, is a battle – it’s the same juggling act, which ball is going to be dropped first?

Outsourcing the DPO/DPL role is an option many organisations are investing in. With senior staff already over stretched, the prospect of trying to upskill someone in data protection regulations who is already managing a bulging inbox and to take time and resource away from their existing roles is something that may not be workable. That 8th day of the week just hasn’t come along yet. Something will give and no doubt it will be the DPO/DPL responsibilities. With the GDPR, letting data protection quietly slide into the ‘never never’ is just not an option. Outsourcing the role to a data protection specialist may be the answer to all your problems and give you that independence and reassurance of knowing that your data protection requirements are in safe hands. Tick.

At Briefed, outsourced data protection officer or lead consultancy is one of the services we can offer to our clients. Speak to one of our consultants to have a better understanding of how we can work with you to address your specific needs. Please do not hesitate to contact us at Hello@Briefed.pro or on 028 90446780.

In her address yesterday, Information Commissioner Elizabeth Denham reminded businesses throughout the UK that “DP-Day – is only 27 working days away”. For those who have, as yet, undertaken no work to achieve and demonstrate compliance, this timeframe will certainly add to existing pressure. With the deadline looming, we have found an increase in misinformation around data protection and GDPR. In an effort to help your compliance journey, let’s dispel some prominent myths.

Advice and support is available.

When working with barristers, solicitor firms and chambers, our clients often struggle to accept that, as the regulator, the Information Commissioner’s Office can also be a source of advice, support and resources. Perhaps given recent experience of regulatory regimes within the legal sector, this may be understandable. However, the Information Commissioner reinforced the message that there is “no intention of changing our proportionate and pragmatic approach after 25 May. My aim is to prevent harm, and to place support and compliance at the heart of our regulatory action. Voluntary compliance is the preferred route”. For those adopting a genuine, responsible and diligent approach to becoming compliant, this should allay some concerns.

The ICO promises tough action.

Equally, we can experience a level of bravado or procrastination that GDPR and data protection is not a priority or irrelevant. There is a disbelief of the “hype” surrounding GDPR and the increased penalties. Notwithstanding their pragmatic approach, Denham warned “we will back this up by tough action where necessary; hefty fines can and will be levied on those organisations that persistently, deliberately or negligently flout the law”. In light of this, non-compliance is a high risk strategy for any barrister or chambers.

Monetary fines aren't the only sanction.

Recent images of ICO Enforcement Officers entering and searching the offices of Cambridge Analytica had sobering effect for many businesses. Most barristers believe their only interaction with the ICO would be if a data breach occurs. This notion fails to recognise other enhanced powers afforded through GDPR, specifically the power to audit all those who hold, use and share personal data. In the context of your own practice or Chambers, you will know best how concerning a compulsory data protection audit would be. It is worthwhile highlighting that a fine isn’t the only sanction to be concerned with. The Information Commissioner has flagged the range of sanctions available that “may not require a cheque to the Treasury, but they will have a significant impact on reputation and, ultimately, companies’ bottom line”.

Reporting a breach is now mandatory.

The notion of mandatory self-reporting causes considerable consternation, due to the misbelief that a self-report will result in an investigation. The ICO is investing resources to ensure the reporting process is “simple and effective”. Again, the Information Commissioner has stated “our focus will be on identifying whether your breach is a reportable one, working with you and calling in whoever else we need to involve, to help you make the right decisions in those key first few days”. Obviously, the circumstances and the nature of the breach will dictate whether an investigation follows thereafter – if so, your level and evidence of compliance will be critical to the overall outcome.

Given the many different administrative arrangements across Chambers and individual practices, it can be difficult to accurately interpret the legislation in the context of your particular circumstances. This is why BRIEFED has been instructed by over 60 chambers to help them navigate through their compliance journey. We also offer a range of online training consultancy services and compliance tools available here. Members of the Bar of England and Wales enjoy a 10% discount with code BCEW at checkout.

Despite what some may think, the concept of a ‘Data Protection Officer’ is not new. In the UK, many organisations chose to appoint Data Protection Officers as best practice. The relevant change under the GDPR is that such appointments will now be mandatory for organisations who meet the stated criteria. In recent training sessions and client meetings, the question has been posed whether barrister’s chambers should do so.

The Criteria

Let’s first consider Article 37 of the GDPR which outlines the criteria where the appointment of a DPO by a controller or processor is mandatory:

I. The processing is carried out by a public authority;

II. The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or

III. The core activities of the controller or processor consist of processing on a large scale of sensitive data or data relating to criminal convictions/offences.

The Interpretation

For Chambers, the first criterion is irrelevant. However, the second and third could pose potential issues. Unhelpfully, the GDPR does not define what constitutes largescale processing. However, Recital 91 specifically provides that ‘the processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer’. As with much of the GDPR, there is considerable scope for interpretation and a lack of definitive guidance on how to apply the various principles and articles in specific sectors. It is evident that individual barristers will not require a DPO; however, it remains less clear whether certain chambers by virtue of their size, the volume and sensitivity of the information processed may require a mandatory DPO.

Notwithstanding any mandatory requirement, Chambers may still choose to appoint a DPO. The ICO believes it may be useful for organisations to designate a DPO voluntarily. Even the Article 29 Data Protection Working Party “encourages these voluntary efforts”.

In the course of supporting Chambers through their compliance journey, we have seen various informal iterations of such a role – a management committee member, a designated barrister within chambers and a senior clerk or administrator. Recognising their importance, the GDPR lays down conditions for his or her appointment, position and tasks. The GDPR is very clear that when a DPO is appointed on a voluntary basis, the requirements under Articles 37 to 39 will still apply as if the designation had been mandatory. If Chambers simply wants to allocate the tasks associated with compliance to particular individual, they should not be referred to as a DPO.

Given the heavy reliance on transparency and being able to demonstrate compliance, Chambers who determine not to appoint a DPO should record their thinking and decision as part of their compliance documentation. This may take the form of the management committee minutes or a written determination from the Head of Chambers.

It is worthwhile reiterating that the DPO, whether mandatory or voluntary, bears no personal responsibility for non-compliance with the GDPR. The responsibilities and obligations of the data controller or processor cannot be passed or transferred and they remain accountable for compliance.

Given the many different administrative arrangements across Chambers and individual practices, it can be difficult to accurately interpret the legislation in the context of your particular circumstances. This is why BRIEFED has been instructed by over 45 chambers to help them navigate through their compliance journey. We also offer a range of online training and compliance tools available here. Members of the Bar of England and Wales enjoy a 10% discount.

This month, I had the pleasure of delivering GDPR and Data Protection training for the Bar Council in London. Both sessions were fully subscribed and sold out quickly, perhaps indicating the level of interest or concern within the profession. Having conducted my fair share of cross-examinations, it was an interesting experience to be on the receiving end of questions! Despite the roles of data controller and data processor existing prior to GDPR, significant confusion remains about the roles in the context of barristers and chambers.

Data Controller

Under GDPR, a data controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” Under this definition, we can clearly see that barristers are data controllers for their client information – they are directly responsible for, and must be able to demonstrate, compliance with the GDPR principles. Depending on the nature of instructions or the case, it is likely that most barristers and the instructing solicitor firm will operate under a joint controller relationship.

It should be noted that the definition of a controller is a person – for the majority of Chambers, this means that the Head(s) of Chambers is the recognised data controller for the personal information held about employees and members of Chambers. Head(s) of Chambers must be aware of their responsibilities and liabilities under GDPR. This is prompting much discussion at management committees. To this end, the Bar Council has asked BRIEFED to deliver a special training session for Heads of Chambers – details available here.

Data Processor

According to GDPR, a data processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. This reflects the relationship between chambers and its members. Under the Head of Chambers, the Chambers provide a range of services to assist members in their practice. The GDPR places specific legal obligations on Chambers as data processors; for example, to maintain records of personal data and processing activities. Furthermore, it introduces legal liability if Chambers are responsible for a breach. Where a processor is involved, this does not relieve individual barristers of their obligations. The GDPR places further obligations on barristers as controllers to ensure contracts with processors comply with the GDPR. Defining the lines of liability is critical – which is why a data processing/sharing agreement must be in place between each individual barrister/controller and their Chambers. The agreement will definitively state the role, responsibilities and obligations on both parties

Given the many different administrative arrangements across Chambers and individual practices, it can be difficult to accurately interpret the legislation in the context of your particular circumstances. This is why BRIEFED has been instructed by over 45 chambers to help them navigate through their compliance journey. We also offer a range of online training and compliance tools available here. Members of the Bar of England and Wales enjoy a 10% discount.

Over the five years of working with barristers and chambers on all aspects of data protection and the GDPR, one of the most frequently asked questions is “what is a breach?” This is usually followed by a suggested scenario, a strictly hypothetical one of course! Most seem shocked by the extent of what constitutes a data breach so it may be useful to explore this further here.

What constitutes a data breach?

You have to be able to recognise a breach in order to properly deal with one. Article 4(12) defines a “personal data breach” as:

Under GDPR, data controllers and processors must comply with this fundamental principle:

“using appropriate technical and organisational measures, personal data shall be processed in a manner to ensure the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.”

It is worth reiterating that the GDPR only applies where there is a breach of personal data. Not all security incidents are necessarily personal data breaches. This is one of the reasons why barristers and chambers are being urged to review their systems, policies and working practices now. Consider the difference if a burglary occurred in chambers or at home where all devices are encrypted, offices are secured, a clear desk policy is followed and papers are stored in locked cabinets.

What should I do if a breach happens?

Having taken all reasonable steps to prevent a breach but it nonetheless occurs, the ability to react in a timely manner is critical. The GDPR makes notification to the Information Commissioner mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of an individual(s). Given the type of personal and sensitive information held by barristers, a breach is likely to have adverse effects such as the potential for identity theft or fraud, damage to reputation or social disadvantage and therefore, would constitute a risk to the rights of individuals.

Regardless of whether a breach in data was due to the barrister or the chambers, the barrister must notify the Information Commissioner’s Office within 72 hours. There is no expectation that all details relating to the breach will be available or known but the key is to register the breach within the timeframe. Any undue delay may give rise to an investigation.

Although barristers have overall responsibility for the protection of data, chambers have an important role to play in helping barristers comply with their obligations. If chambers become aware of a breach, they must inform the barrister(s) without undue delay. Furthermore, if the barrister has given authorisation, chambers could initiate the notification on their behalf. Given the interdependencies, it is vitally important that the data processing agreement is clear on these matters.

Whilst we much prefer being engaged as a proactive step towards compliance, there are unfortunately times when our help is needed to manage a data breach or navigate a client through an ICO investigation. Contrary to what may be believed, the focus of the notification is to encourage controllers to act promptly, to contain a breach, to recover the compromised data and to seek relevant advice. As has been our experience to date, not all notifications will result in punitive action. The risk of failing to notify and the ICO becoming aware of the breach by other means is too great to contemplate.

Briefed can help barristers and chambers with GDPR compliance - we also offer a range of online training and compliance tools available here. Members of the Bar of England and Wales enjoy a 10% discount.

In last week’s article, we highlighted the low level of awareness amongst businesses and barristers of the GDPR and their responsibilities under the legislation. By comparison, new research published this week proves consumers and clients are keenly aware and intent on exercising their increased rights post-May 2018.

Unsurprisingly, 58 per cent of respondents think the regulation is a positive step towards protecting their data and privacy. Perhaps reinforcing the rationale behind the GDPR and stricter data protection laws, only one in five (19%) were confident their personal data is used in the best possible way.

With over a third (34%) of respondents stating their intention to exercise their individual rights under the General Data Protection Regulation (GDPR), as data controllers, barristers should prepare themselves for processing a variety of requests.

What should a barrister expect?

Under the GDPR, clients have the right to be informed. Barristers need to be aware of the type of information they should supply and when individuals should be informed.Furthermore, the information must be “concise, transparent, intelligible and easily accessible”; written in clear and plain language and free of charge.

Clients will have the right of access, which allows individuals to request access to their personal data and supplementary information so they can be aware of and verify the lawfulness of the processing. It is only possible to refuse such request if it is manifestly unfounded, repetitive or excessive.

If an individual finds that data held is incorrect or incomplete, they have the right of rectification. The barrister must then take steps to correct the data held and contact anyone they have shared the information with the correct details.

Significantly, GDPR confers the right to be forgotten, which allows individuals to request the deletion of their personal data where there is no compelling reason to hold the information any longer. There is a relevant exemption for the legal profession which includes the exercise or defence of legal claims.

There are a number of others rights including the right to object, to restrict processing, to data portability and related to automatic decision making, which are of lesser significance to individual barristers.

What should barristers do?

The importance of a data protection policy for your practice cannot be underestimated as well as supporting privacy notices, which are clear and easily understood. These are the fundamental tools which detail how you manage, use, process, secure and dispose of personal data.

Any of these requests can be submitted at any time. They must be complied with, free of charge and generally within one month. Any refusal or lengthy delay risks a complaint to the Information Commissioner and/or the profession’s regulator.

To comply cost-effectively and time-efficiently, barristers should review their current practices and determine how and for what length of time they store information, both in paper and electronic form. In terms of practicality, consider your current filing system, email account, offices, any storage archives, how easily could you retrieve information and comply with any of these requests? In terms of administration, barristers must be able to demonstrate their process for managing such requests, record any requests received and how they were complied with.

Any barrister or business who has processed a subject access request under data protection laws will concur that without appropriate policies and procedures, complying with such requests can be difficult, lengthy and costly. Preparing In advance of GDPR is key!

Briefed can help - we also offer a range of online training and compliance tools available here. Members of the Bar of England and Wales enjoy a 10% discount.

Recently published research from the Cyber Security Breaches Survey highlighted that fewer than half of all businesses and charities are aware of new data protection laws coming into force. Given that May 2018 is now only four months away, concern has prompted the UK Government to issue a warning over businesses' lack of preparation.

Regardless of your viewpoint on whether a barrister’s practice is a business, GDPR will apply just the same. From the perspective of the Information Commissioner, barristers are individually responsible as data controllers and must demonstrate compliance with their own practice.

Undoubtedly, you will have read countless articles, blogs or commentary on GDPR. The Bar Council has been proactive in raising this issue. Reputable chambers are taking action to ensure their compliance. So by now, your general awareness may be fairly good or is it?

What should a barrister be aware of?

First and foremost, barristers need to know about the legislation, the governing principles and the nine key changes GDPR will make to current data protection law. Training in GDPR is therefore essential and represents a key component in defending any potential action by the Information Commissioner.

Secondly, barristers must be aware of the information they hold. Practice at the Bar and access to personal and/or sensitive information are inextricably linked. As the data controller, the barrister is responsible for knowing what type of information they hold, the lawful bases to hold it, whether you can and with whom you can share it, how you should accurately maintain, store and responsibly dispose of such information. Furthermore, barristers must have this recorded in supporting documentation.

Thirdly, compliance is critical. Barristers must apply the GDPR principles to the daily operation of their practice. This includes risk assessing your home work environment, your office work environment, your transport, your IT security and practices, your digital and hard copy storage arrangements. Unfortunately, your chambers cannot do this on your behalf.

Lastly, barristers are more than familiar with mitigating on behalf of clients. Having undertaken no training, copying and pasting a generic policy, failing to adopt security measures, keeping records for fifteen years or holding no data sharing agreements are examples of unacceptable practices. Given that the outcome of any potential audit or investigation often rests on the strength of the mitigating evidence you can demonstrate to the Information Commissioner, such practices would place a barrister at significant risk.

How can Briefed help you become aware?

In conjunction with the Bar Council, the Briefed team will be in London next month, delivering training courses specifically for barristers (8 March) and for chambers staff (9 March). We also offer a range of online training and compliance tools available here. Members of the Bar of England and Wales enjoy a 10% discount.

We are meeting with Chambers throughout the legal quarter, delivering gap analysis reports and action plans. We will also be celebrating with others who have completed their compliance journey. Please contact us if we can help you or your chambers.

Over the past number of months, Briefed has been engaged by many chambers and barristers to support and guide them through their GDPR compliance journey. One of the most common misconceptions is that the GDPR is yet another tick-boxing exercise, designed to frustrate an overworked profession. If this is your impression, you have been warned to think again!

The EU General Data Protection Regulation (GDPR) marks a wide reaching and significant shift in how all organisations must manage and protect personal data. In May 2017, Information Commissioner Elizabeth Denham advised that rather than just box-ticking, the focus must be on developing a “framework that can be used to build a culture of privacy that pervades an entire organisation”.

Article 5 of the GDPR states that “the controller shall be responsible for, and able to demonstrate compliance with” six privacy principles. The sixth principle (integrity and confidentiality) states that personal data shall be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

In March 2017, a senior barrister who failed to keep clients’ sensitive personal information secure was fined by the Information Commissioner’s Office (ICO). Steve Eckersley, Head of enforcement at the ICO said: “People put their trust in lawyers to look after their data - that trust is hard won and easily lost. This barrister, for no good reason, overlooked her responsibility to protect her clients’ confidential and highly sensitive information.”

Under GDPR, changes will be required in our policies and procedures but also in our working habits; it will require resources in terms of time, systems and finances but mostly, it requires the collective and individual commitment of chambers and barristers to the principles underpinning GDPR. The ICO has repeatedly stated that evidence of such commitment will be the key to mitigating any sanction post 25th May 2018.

The days where the responsibility for privacy protection is left to someone else are over. From 25th May, both the barrister and the chambers can potentially be audited, investigated or fined. Barristers cannot simply rely on their chambers having the proper policies and procedures; they must be able to demonstrate compliance in their own individual practice. Chambers can no longer accept traditional individualised methods of working and will have no choice but to hold their members to account. Ultimately, the risks, sanctions and consequences that will result from even a simple data breach raise the importance of the GDPR from an issue of compliance to a critical business imperative.

With the introduction of new data protection legislation fast approaching, many organisations are sourcing outside expertise to help them reach GDPR compliance. In a world where most hadn’t heard of GDPR a year ago, there are now many businesses offering GDPR services and products. So how do you sort the good from the bad, and decide who entrust with such an important task?

Barrister and GDPR specialist Orlagh Kelly offers some advice on what to look out for in your GDPR consultant.

1. LEGAL EXPERTISE

GDPR is first and foremost legislation. If you’re seeking to understand the impact new legislation has on your business, who do you usually ask? Legal experts. Look for GDPR advisers who have a deep knowledge and experience of data protection legislation and case law. Not just the new legislation, but the Data Protection Act 1998 too. Such are the complexities of the GDPR legislation you need someone who can interpret legislation easily, and translate how it applies to your business.

2. LONG TERM OUTLOOK

GDPR brings ongoing obligations and liabilities, similar to health and safety or anti-money laundering legislation. Your GDPR consultant should be someone you can depend on going forward, rather than a short term solution. Look out for a partner who can safely guide you on the legislation, perhaps for years to come.

3. KNOWLEDGE OF GDPR CRISIS MANAGEMENT

Should you suffer a data breach you will enter the difficult and draining scenario of being investigated by the Information Commissioner’s Office. A good GDPR partner will be able to defend your business for you. Having worked closely with your organisation and helped implement your GDPR compliance project, your consultant will be informed and able to launch your defence. Before you choose your consultant ask yourself if you are satisfied that they could advise and represent you if needed.

4. NO ULTERIOR MOTIVES

Last but not least, be wary of GDPR ‘experts’ who work hard to create the impression they have GDPR ‘expertise' as a precursor to selling. The publicity around GDPR has lead to many companies jumping on the bandwagon, providing GDPR ‘expertise’ as a sales tool, scaremongering clients into believing they can only achieve compliance through purchasing their products. In most cases it is possible to achieve compliance whilst working with an organisation’s existing systems, so if you are being given the hard sell, tread very carefully. The perfect GDPR consultant comes from a data protection background

At Briefed we are very excited to let you know that our founder and #1 data protection specialist, Orlagh Kelly, will be discussing the GDPR issues that matter most to you and your business in her informative new column, the GDPR Guru, live now on syncni.com.

In order to help you to reach GDPR compliance we need to know the data protection issues that are concerning your business. To pose a question to Orlagh or suggest a topic for discussion, email info@briefed.pro or complete our contact us form.

In the mean time, here's some information about how one of Northern Ireland's top barristers made the transition to GDPR Guru, helping hundreds of businesses to meet their data protection obligations along the way...

1. How did a barrister become a tech entrepreneur?

I always dreamed about a becoming a lawyer. I saw an episode of Perry Mason when I was a child and fell in love with the idea of court work. I really wanted to fight for people who couldn’t fight for themselves.

At 25, I was called to the Bar and found myself self-employed and tasked with building my own practice. But it went well - I established a successful family law practice, handling over 200 cases a year as one of the top-earning family barristers in my jurisdiction.

Since childhood I have dreamt of a career as a barrister. I saw an episode of Perry Mason and fell in love with the idea of court work and of fighting for people who couldn’t fight for themselves. From that day my commitment to my goal was unwavering - I wanted into the courtroom and I wanted to get there fast.

I was called to the Bar aged 25 and having never considered running my own business I found myself

self- employed and tasked with building my own practice. 8 years on I had established a successful family law practice, handling over 200 cases a year as one of the top earning family barristers in my jurisdiction. But the practicalities of running my own business were holding me back - I was overrun by paper work and had no way in which to market myself effectively and grow the business. I knew the answer lay in technology and with no practice management tools available for barristers I took the daunting step into the world of tech and set about developing one myself. And so Briefed was born.

It became clear that one of the key advantages for barristers using the platform was the ability to easily increase their data security. I realised that businesses needed access to a range of products and training in order to meet their data protection and GDPR requirements, a need that no one was satisfying. Hence, Briefed has evolved into a business, not only offering the original case management system but which services companies on every step of their compliance journey, through our e-products and training and our consultancy services.

The two sides of the business go hand in hand. The knowledge and understanding we gain from working with organisations and learning about the practical challenges presenting from GDPR, shapes and informs our online offerings, ensuring a relevant product designed to truly up skill the user.

2. What was the biggest lesson you learned in different acceleration and incubation programmes?

It’s very easy to assume everyone else knows what is best for you and your business. Early on, I was encouraged to aim for a Silicon Valley-type business with hundreds of employees and investors, but in reality that wasn’t my personal goal. I’m very happy now with what is a high-quality business with a prominent brand in the UK and Ireland. Over time, I learned to trust in myself and back my own judgment.

3. If you could go back in time, what advice would you give to yourself in the run up to the launch of Briefed?

I’ve gained a lot from the Lean Startup Methodology. It’s a scientific approach to testing target markets and understanding the appetite for a product prior to development. As the revenue required for development is generated through sales, this way of working can reduce timescales and the need for outside investment. Had I worked with this methodology from the get-go, I could have brought the original Briefed product to the market faster and at less expense.

“The General Data Protection Regulation or GDPR as it is commonly known, is updated data protection legislation that mandates how organisations handle personal data.

Personal data is anything from which a person can be identified, such as an IP address, an email address, a bank account number, even a Facebook profile page or library card number. If your organisation processes personal data of any kind, you need to ensure that you are compliant with GDPR by the enforcement date of 25 May 2018.

Failure to comply will have major consequences, including:

Monetary fines

Public recognition of the sanction and subsequent damage to reputation

“It has been widely publicised that the penalties under GDPR are much more severe than under the Data Protection Act 1998. The penalty which has received the most coverage is the monetary fine, issued by the ICO. Currently the ICO has the power to issue a fine of up to £500k. Come 25 May 2018, under GDPR, the ICO will have the power to issue a fine of up to £17m or 4% global turnover, whichever is higher.

Secondly, and a penalty which I have found to be much more costly for businesses than any fine, is the publicity the ICO is allowed to generate relating to your sanction. When sanctioned, the ICO will issue a press release, detailing your breach and the sanction they have imposed upon you. Current customers will hear about the data breach, potential customers will hear about the data breach, competitors will hear about the data breach. The impact on the sustainability of your business can be catastrophic.

Thirdly, the ICO have the powers to issue criminal proceedings against your organisation for failure to comply with the legislation. And you could find yourself in court again, being sued by the data subjects for failing to protect their personal data.

“Since the Britain voted to leave the EU in June 2016, I have continuously been asked this one question - Can we ignore the GDPR because of Brexit?

The simple answer is NO.

What most people do not know is that GDPR legislation is already in force in the UK. We are currently in a two year grace period until 25 May 2018, at which point GDPR will be enforced in the UK. On this date we will still be a member of the European Union and we will need to abide by EU law.

Additionally, any business selling goods or services into Europe or monitoring the behaviour of EU citizens needs to be compliant with GDPR, regardless of their global location. This includes organisations as far afield as the USA or Australia, or most importantly for you and I, organisations in the UK.

If you have been ignoring the GDPR under the belief that it would disappear due to Brexit then think again. You need to consider your data protection obligations under GDPR and you need to consider them now.

“The GDPR requires that an entity appoint a Data Protection Officer if they are:

A public authority

An organisation which carries out large scale monitoring of individuals, such as online behavioural tracking

An organisation which carries out large scale processing of special categories of data or the processing of criminal offences.

The GDPR defines special categories of data as personal data that reveal the following about an individual:

Racial or ethnic origin

Health conditions

Sexual activities

Sexual orientation

Political views

Membership of a trade union

Genetic or biometric data

Religious or philosophical beliefs.

If you process any of theses categories of data on a large scale, then you are required to appoint a Data Protection Officer.

The one caveat on this, is that as of this point, September 2017, there is no clarification as to how large scale will be categorised. Data protection specialists, including myself, are awaiting guidance from the ICO as to how this will be classified.

However, regardless of the boundaries that the ICO decide upon, my advice would be - if you are an organisation that would suffer greatly from a breach, in terms of fines, or repetitional damage, then you should consider appointing a designated Data Protection Officer. It is safer for you and your customers to have someone with the appropriate expertise ensuring your compliance obligations are being met on an ongoing basis.

If you want to here more about how Briefed can help you on your journey to GDPR compliance, please visit briefed.pro/gdprservices”.

“When most people hear the term data breach they think of a large scale hacking by foreign cyber criminals but, in reality a breach can come in a much more mundane and simple form.

Under GDPR a data breach is defined as - ‘A breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, personal data, transmitted, stored, or otherwise processed.’

But what does this mean for you and your organisation?

Here are some previous examples of fines issued by the ICO. It is worth remembering when considering these fines that these were issued under the previous legislation with fines capped at £500k. Under GDPR the ICO will have the power to issue fines of up to 34 times higher!

A solicitor sent an email to the wrong person - fined £120k

A social worker left papers on a train - fined £70k

A filing cabinet was sold containing old files - fined £185k

Medical records were left in a disused building - fined £225k

A report was posted to a wrong address - fined £60k

A memory stick was stolen from a staff member’s home - fined £150k.

Along with each of these fines the ICO issue a press release, publicising your sanction. The combined monetary and reputational damage can have serious repercussions on the sustainability of a business, in some cases leading to business failure.

To hear more about how we can help your organisation to become GDPR ready and avoid the penalties associated with non compliance, visit briefed.pro/gdprservices”.

“I am often asked why we need the new GDPR and why we can’t continue to operate under the Data Protection Act 1998?

The Data Protection Act is based upon data protection legislation, first laid down in 1995. At this point I would ask you to think back to your life in 1995... What technology did you regularly use? The internet was not widely available. Hardly anyone had a mobile phone. Phone numbers were written down in address books. Photos were developed. Holidays were booked on Teletext or Ceefax. The amount of data you shared was limited.

Now think about your life as you live it today. How many apps do you have on your phone? How often do you open these apps and what activities do you use them for? Do you buy goods or services? Do you pay bills or check your bank balance?

The way we use and share information has altered exponentially in ways we could never have envisaged in 1995.

Quite simply the DPA 1998 is no longer fit for purpose and the GDPR is updated data protection legislation, designed to ensure the safety of personal data in our modern, technological world.

To find out more about GDPR and how we can help your organisation become and remain compliant, visit briefed.pro/gdprservices”.